Pensions - Articles - Data Protection and Pension Schemes


 By Archana Gupta, Associate, Pensions Team, Squire Sanders
 EU data protection legislation is being overhauled and new regulations are expected to be in force in the UK within a year. These will allow the Information Commissioner ("ICO") to fine parties who breach the data protection legislation up to 2% of their annual worldwide turnover and will provide for new notification requirements for data breaches. Trustees cannot afford to neglect their duties to ensure members’ data is protected.
 
 As "data controllers", trustees already have a statutory duty to comply with data protection legislation, currently the Data Protection Act 1998 (the “Act”). Consequently, trustees have obligations and liabilities associated with the processing of scheme members’ and beneficiaries’ personal information.
 
 One of the main areas of risk for pension scheme trustees as data controllers is activities outsourced to external service providers or, indeed, to the sponsoring employer if a scheme administration is handled in-house (“data processors”). Trustees remain liable for all breaches of the Act by third parties who process information on their behalf e.g. administrators, actuaries, insurance companies as well as other service providers. Any breach by a third party will be the legal responsibility of the trustees, who can face enforcement action and compensation claims. While no system can be 100% secure, trustees can minimise their risks by ensuring third parties they outsource work to have appropriate safeguards in place to maintain information security. Trustees can also put in place written agreements with service providers so that if they do face a claim for a breach made by a service provider, trustees can hold the provider to account for any loss that they may suffer as a result of any mishandled or lost data.
 
 Trustees cannot afford to only carry out due diligence at a pre-contractual stage and must ensure that service providers are asked to confirm on an on-going basis that they have appropriate measures in place to safeguard members' data and comply with the Act. This will help to ensure the contract keeps pace with changes in the legislation and regulatory environment. For example, the ICO has only recently stated specifically that holding significant unencrypted data on portable devices is a breach of the Act; contracts put in place prior to this may not include liability for such a breach unless the service provider is explicitly required to re-state its compliance with the Act from time to time. Trustees would, therefore, be liable for such a data breach without being able to hold the service provider to account for any loss.
 Another area trustees need to think carefully about before sharing members’ data is where the employer requests information for the purposes of, for example, an internal website or for the creation of a pension calculator. Members data can only be processed in specified circumstances (such as where necessary to comply with a legal obligation, including trustees' obligations under a scheme which arise under trust law and statute rather than any contract). However, this provision is unlikely to be used successfully for disclosure of members’ data to employers because the trustees’ legal obligations relate to administration of the scheme and not administration of the Company’s remuneration policies. There are other permitted circumstances that could enable such processing of data, but it is unlikely that these would allow the disclosure of "sensitive" personal data (such as information about the member's health), which generally cannot be processed without the explicit consent of the member concerned.
 
 The new draft European regulations aim to bring into force a harmonised EU data privacy regime that will be directly effective in all EU member states. Looking at current drafts, they will place even more onerous accountability obligations on data controllers than the Act. If introduced without any amendments, trustees will be under an obligation to notify the ICO of data protection breaches within 24 hours (or provide justification where the notification is not made within 24 hours). Trustees will also be required to have transparent and easily accessible policies with regard to the processing of personal data and the exercise of data subject rights, to demonstrate compliance with the new regulations. The good news is that the regulations will for the first time also impose express obligations on data processors. This will ensure that service providers cannot argue that they are not in a position to decide what level of security is appropriate to protect members’ data and can, in some circumstances, be held to account directly by members.
 
 The ICO’s initial response to the draft regulations has described them as “unnecessarily and unhelpfully over prescriptive posing a challenge for its practical application and risks developing a “tick box” approach to data protection compliance.” While the draft regulations are at an early stage and are likely to be revised as they go through the process of receiving approval from the EU member states and ratification from the European Parliament, the consensus is that the regulations will increase the compliance burden on data controllers. Trustees should ensure that their current practices do not put them in breach of the Act and also that they are prepared for the new more onerous obligations that the regulations are likely to impose, especially in light of potentially increased powers to fine data controllers.
  

Back to Index


Similar News to this Story

Wish list for the occupational pensions industry in 2025
As one year closes and another begins, it's an opportune moment to set our sights on the future. The UK occupational pensions industry faces nume
PSIG announces outcome of Consultation
The Pensions Scams Industry Group (PSIG), which was established in 2014 to help protect pension scheme members from scams, today announced the feedbac
Transfer values fell to a 12 month low during November
XPS Group’s Transfer Value Index reached a 12-month low, dropping to £151,000 during November 2024 before then recovering to its previous month-end po

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.